Monday 3 July, was a typically warm, humid day in New York City. The stock markets were closing at 1pm, ahead of America’s annual 4th of July Independence Day celebrations. Traders across the Big Apple were looking forward to an afternoon out of the office.
Read more: Russia’s next fake news campaign could devastate the economy
Yet as New York’s financial community left their offices and headed for the beaches of the Hamptons or the cooler forests of Upstate, shock waves rippled through the markets. Just before 12.30pm local time, the world’s biggest stock exchange, Nasdaq, was displaying the stock prices of Amazon, Microsoft, Apple, and more than a dozen other companies at same price; $123.47. For both Amazon and Google, the companies had apparently just lost 87 per cent of their market value. For Microsoft, the company was briefly valued at $1 trillion.
The cause? Nasdaq claimed that “erroneous third party test data” was behind the wild swings in stock prices. Whilst we should take Nasdaq at its word – that this was a simple error – it is vital to remember that Nasdaq had no other choice. Communicating any kind of hack or security breach would trigger a major market incident and, potentially, a financial crash similar to that of 2008. It is, nevertheless, incumbent to consider the alternatives, and explore the possibility that the 3 July resetting of share prices was a deliberate act.
The stock market is one of the most complex systems ever created. Billions of dollars of shares trade hands every second and, particularly in New York, thousands of algorithms are automatically buying and selling on the city’s stock markets (there are now 11 of them). With all of this noise, to reset some of America’s biggest shares to the same price is an astonishing – but not impossible – technical challenge.
The Nasdaq stock exchange has long been a target for nation states. Back in 2010, stories emerged that Nasdaq had been penetrated by Russian intelligence, and a subsequent investigation revealed the stock exchange’s IT setup was a “dirty swamp”. Several different groups, from nation-states to criminals, were operating freely within Nasdaq’s computer systems. A high ranking US intelligence official later confirmed: “We’ve seen a nation-state gain access to at least one of our stock exchanges.”
In China, there is also some evidence that the People’s Liberation Army (PLA) sees the stock market as a legitimate target. In 1999 two PLA generals published “Unrestricted Warfare”, outlining a strategy in which a weaker power like China could use new aspects of warfare to cripple the more powerful United States. Amongst other forms of economic warfare, the book advocates the use of manmade stock market crashes as legitimate weapons.
Alongside Russia and China, the two most obvious candidates for the 3 July glitch, there is a third. A few hours after the $123.47 glitch occurred, North Korea launched a test of its first intercontinental ballistic missile (ICBM), attracting worldwide media attention. Threatened with US airstrikes and a possible invasion, North Korea may force the US to pause for thought via a warning shot on the American financial system. From Sony to the NHS, hackers linked to North Korea have a formidable track record.
If North Korea was behind the $123.47 glitch, it could be the first example of a nation state using cyber deterrence to warn off a physical attack. Deterrence is a phrase used in military parlance – capabilities like nuclear or chemical weapons deter other states from attacking each other. Cyber is no different, and if used in the right way, at the right time, a nation can use cyber-attacks to shape the behaviour of its adversary.
Another way to explore the glitch is the meaning of the numbers 123.47. If someone deliberately reset dozens of share prices to this amount, then why pick $123.47? One theory is that 1.23.47 is the birthday of Senator Tom Carper, who co-wrote the Protecting Cyber Space as a National Asset Act. Dubbed the ‘Killswitch Bill’, it proposed granting the president emergency powers over the internet in the event of a crippling cyber attack.
How do you price this type of risk? The reality is nobody knows. The insurance industry is built on estimating physical risk (fires, floods, or terrorist attacks). Cyber and information risks are poorly understood and unlikely to be priced appropriately. Indeed, one report suggests that 60 per cent of Fortune 500 companies lack cyber insurance because many types of cyber risks are not insured.
Behind the shiny exterior of many Wall Street banks, insurance houses and stock exchanges, there often lie woefully weak IT systems. Nic Miller, a cyber security consultant specialising in financial services points out: “banks have hugely balkanised IT systems, and the incentives for IT teams are to keep the bank’s systems running. The culture is basically: ‘if it works, leave it’.” This is music to the ears of hackers and criminals, as there are virtually infinite numbers of access points into a bank or a stock market with thousands of machines running old software.
As algorithms take over stock trading, it may be prudent to codify the operation of a paper-based stock market while we still have experts who remember how the market operated. If the 3 July glitch was the result of a hack, and Nasdaq had admitted this to the world, it would lose the one thing that underpins every financial transaction: trust. From 1929 to 2008, once the stock market stops trusting its own data, crises quickly follow.
This article was originally published by WIRED UK
